Professional Documents
Culture Documents
The new General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. For
many private music tutors this is already causing uncertainty and confusion. The summary that
follows is the outcome of the research I have completed and steps I have taken to ensure that my
piano school is compliant with the new legislation.
Whilst GDPR is causing frustration amongst many, as I researched and explored its implications I
came to realise that the new regulations make a lot of sense. The Data Protection Act was written in
1998. At that time, most of us didn’t have a mobile phone, an ipad or even a laptop. I had a brick of a
computer at home with a dial-up modem that used my phone line. We used cheque books, instead
of online banking. We went to the shops instead of ordering shopping online and booked our
holidays through a high street travel agent. Cameras contained a roll of film that had to be
developed. In the digital age we should be demanding the very highest protection of our personal
data and we have a duty to provide that protection to our clients.
The most useful source of information was the Information Commissioner’s Office (ICO). There is
also plenty of information and advice available through the Federaton of Small Businesses.
The ICO has developed a 12 step checklist of actions you can take to prepare for GDPR. According to
the ICO “Many of the GDPR’s main concepts and principles are much the same as those in the
current Data Protection Act (DPA)” so if you are compliant with current DPA legislation you have a
good foundation on which to build. If you haven’t yet looked at the Data Protection Act, it’s worth
understanding the eight principles of data protection.
That said, there are some significant differences including a greater emphasis on data controllers’
documentation to demonstrate accountability. Not everything on the ICO checklist is relevant in our
line of work; this document focusses on those areas that we do need to address.
1) Some useful definitions – and what it means for music teachers
There’s a lot of jargon flying about at the moment – I’ve tried to disseminate it into something we
can easily understand.
PERSONAL DATA “means data which relate to a We need to consider what data we hold about
living individual who can be identified – our students, their parents and any relevant
(a) from those data, or staff or associates. The list of personal data we
(b) from those data and other information could process includes (but is not limited to):
which is in the possession of, or is likely to come • addresses
into the possession of, the data controller, and • phone numbers
includes any expression of opinion about the • email addresses
individual and any indication of the intentions • date of birth
of the data controller or any other person in • health information
respect of the individual.” • photographs
• videos
• academic records
A DATA CONTROLLER is any individual or Here are two illustrative – and real life -
organisation who determines the purpose for examples:
which and the manner in which personal data is
processed. I obtain the date of birth (personal information)
of my student (data subject).
A DATA PROCESSOR is any individual or I (data controller) store it and decide to send it
organisation who processes data on behalf of to the exam board (data processor) as part of
the data controller. It’s important to their exam entry.
understand that “processing” means doing any
of the following with personal information: I obtain the bank details (personal information)
• obtaining it of my student’s parents (data subjects).
• recording it I (data controller) store it and decide to sent it
• storing it to my Direct Debit Collection agency (data
• updating it processor) to ensure I am recompensed for my
• sharing it work.
• erasing it
There is a mis-conception that if you don’t store information on a computer then you do not need to
register. However, if you store phone numbers on a smartphone or use a digital camera or other
recording device, this is covered under the term “processing data electronically”.
3) Data Tracking
We need to document the personal data we hold, where it came from and who we share it with.
This is important because – under GDPR - if we have shared inaccurate information, it is our
responsibility to inform the other organisation about the error so they can correct their records. We
don’t need to publish this document but we do need to keep it up to date.
Another important addition to GDPR is that data subjects have the right to erasure. That means they
can ask you to delete all records of their data and you need to be able to comply.
Figure 1 shows a data tracking flowchart that I’ve compiled to help me to understand the flow of
data within my business.
Shared with:
Address, phone number, email address Accounting
software provider
Shared with:
Email address Direct e-mailing
software provider
Shared with:
Date of birth Exam board
Encore Music Tuition Ltd will be what is known as the ‘Controller’ of the personal data you provide
to us. Our company registration is 123456789 and our address is: 1, The Street, London
What we need
Unless otherwise agreed with you, we will only collect basic personal data about you and your child.
This information includes your name, home address, email address, bank details and your child’s
date of birth.
Why we need it
We need to know basic personal data in order to provide you with the services you have engaged us
to provide, and to assert our right to be recompensed in return for these services as per the
agreement we have with you. We will not collect any personal data from you that we do not need in
order to provide and oversee the services we have agreed to provide you with.
What we do with it
All the personal data we hold about you will be processed by the Encore Music team in the UK. The
information is also shared with the following third party organisations:
No other third parties will have access to your personal data unless there is a legal obligation for us
to provide it. We will take all reasonable steps to ensure that your personal data is processed
securely.
Clearly the legal obligations and legal claims are unlikely to apply to music teachers. And it is possible
that the necessity of processing personal data could be open to debate. This leaves us with consent.
In brief, consent must be a positive opt-in and cannot be assumed as a result of a pre-ticked box or
lack of response. It also has to be separate from other terms and conditions and it needs to be easy
for people to withdraw their consent. Consent must be specific, granular, clear, prominent, opt-in,
properly documented and easily withdrawn. If it’s not, new GDPR-compliant consent is needed –
including for our existing contacts and clients. It’s worth looking at the ICO’s consent checklist and
detailed guidance.
I recently received a request from the Duke of Edinburgh Award Scheme to opt-in to their mailing list
and I know that this is an area that I need to address. For my client mailing list, I need the parents of
all students to be actively subscribed so they receive essential information such as term dates,
concert schedules and other notices. For my wider mailing list, which includes teachers I have met at
conferences, prospective students and the like I need to retrospectively ask them to opt-in to the
mailing list going forwards.
Currently, I obtain consent for recording, filming and photographs to be taken and also seek
individual permission to publish those photographs as required. However, the consent does not
comply with new GDPR for the following reasons:
7) Awareness
The ICO states that decision makers and key people in our organisation need to be aware that the
law is changing and understand the impact this is likely to have. If you are working as a sole tutor
you don’t need to worry about this, but if you are heading up a school you need to make sure the
rest of your team knows what they need to do.
In communicating with existing students and their families, I think consistency is key. GDPR will be as
confusing for many of them as it is for us and it’s important to reassure them that the respect, care
and confidentiality with which we treat their personal data will not change. Quite simply, there is
more legislation with which we need to be compliant and their active opt-in will allow us to continue
operating as usual.
In summary, respecting and protecting the data of our students and their families is the right thing
to do. And with the threat of heavy fines for non-compliance (up to 4% of annual turnover or up to
£17M – whichever is greater) we have to be prepared for GDPR to come into effect on 25 May 2018.
[Disclaimer: Nothing in this article constitutes legal advice. Specialist advice should be taken in relation to specific circumstances. The
contents of this article are for general information purposes only. Whilst we endeavour to ensure that the information in this article is
correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. We shall not be
liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising from the use of, or inability to
use, this material, or from any action or decision taken as a result of using this material.]